#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2013
    Posts
    87
    Rep Power
    2

    I keep getting upload failed message


    It is executing everthing up to the part of the mysql_query

    PHP Code:
    <?php

    include 'connect.php';

    //assigning variables to different values of $_FILES array
        
    $name addslashes($_FILES['upload']['name']);

        
    $tn   addslashes($_FILES['upload']['tmp_name']);

        
    $size $_FILES['upload']['size'];
        
        
    $desc $_POST['description'];
        
        
        
        
        if(!isset(
    $_FILES['upload'])){
            
            echo 
    'Please select an image!';
        
        }else{
            
            
    $image file_get_contents($tn);
            
            
    $image_name $name;
            
            
    $image_size getimagesize($tn);
            
            
            if(
    $image_size == FALSE){
                
                echo 
    'Sorry, but that is not an image!<br /><br /><a href="index.php">Go Back</a>';
                
            }else{
                
                if(!
    mysql_query("INSERT INTO `Group_1` VALUES('', '$image_name', '$desc', '$image')")){
                    
                    echo 
    'Sorry, but the file upload failed!<br /><br /><a href="index.php">Go Back</a>';
                    
                }else{
                    
                    echo 
    'File upload succesful!';
                    
                }
                
            }
            
        }

    ?>

    then when I try to separate the mysql query I get this mysql error:

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz' at line 1
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 2003
    Posts
    3,464
    Rep Power
    594
    1) Don't use the deprecated MySQL extensions. Switch to PDO and use prepared statements. Your code is wide open to injections.
    2) It is poor programming practice to put a literal string into the call. Instead build the string in a variable. Prior to the call, echo that variable to make sure it contains what you expect.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Gosh, what you're doing there is gambling. When you throw raw binary data into the query string, the output could be pretty much anything -- not to mention specific attacks on this gigantic security hole (like gw1500se already said).

    Check the link in my signature for basic security.

    Also, do you actually wanna store the image itself in the database? Because that's a pretty exotic approach, which comes with some drawbacks. Avoid this unless you really know what you're doing (which I'm not so sure about).
    The 6 worst sins of security How to (properly) access a MySQL database with PHP

    Why cant I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2013
    Posts
    87
    Rep Power
    2
    What other way is there besides dealing with directories which I have already done and just does not work for the system that I am trying to implement for my client. I am trying to create an admin area for him to where he can change the names of the groups, delete specific images, move images to different groups and stuff like that. Basically create a system that does not involve me having to write out the code to update his changes.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 2003
    Posts
    3,464
    Rep Power
    594
    Place the images in directories and put the path in the database. Program your admin pages to move the images to the appropriate directory and update the database accordingly. As the admin deletes, moves and changes groups, your program will have 2 tasks for each. One to update the database (again using PDO and prepared statements) and the other to manage the physical location of the image files accordingly.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.

IMN logo majestic logo threadwatch logo seochat tools logo